THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3...

THE DUKES 7 YEARS OF RUSSIAN

CYBERESPIONAGE F-Secure Whitepaper

September 2015

CONTENTS

EXECUTIVE SUMMARY ........................................................................... 3

THE STORY OF THE DUKES ................................................................... 4

2008: Chechnya ............................................................................................................. 4

Etymology: a note on names ....................................................................................... 5

2009: First known campaigns against the West ......................................................... 6

2010: The emergence of CosmicDuke in the Caucasus ............................................ 7

2011: John Kasai of Klagenfurt, Austria ........................................................................ 8

2011: Continuing expansion of the Dukes arsenal ...................................................... 8

2012: Hiding in the shadows ....................................................................................... 10

2013: MiniDuke flies too close to the sun.................................................................. 10

2013: The curious case of OnionDuke ........................................................................ 12

2013: The Dukes and Ukraine....................................................................................... 13

2013: CosmicDuke’s war on drugs ............................................................................... 13

2014: MiniDuke’s rise from the ashes .........................................................................14

2014: CosmicDuke’s moment of fame and the scramble that ensued ...................14

2014: CozyDuke and monkey videos .......................................................................... 15

2014: OnionDuke gets caught using a malicious Tor node .....................................16

2015: The Dukes up the ante ....................................................................................... 17

2015: CloudDuke ..........................................................................................................20

2015: Continuing surgical strikes with CosmicDuke ................................................. 21

TOOLS AND TECHNIQUES OF THE DUKES ........................................ 22

PINCHDUKE ................................................................................................................. 22

GEMINIDUKE ............................................................................................................... 23

COSMICDUKE .............................................................................................................. 25

MINIDUKE .....................................................................................................................27

COZYDUKE ................................................................................................................... 28

ONIONDUKE................................................................................................................ 29

SEADUKE ...................................................................................................................... 30

HAMMERDUKE ............................................................................................................. 31

CLOUDDUKE ................................................................................................................ 32

INFECTION VECTORS .............................................................................33

DECOYS ....................................................................................................33

EXPLOITATION OF VULNERABILITIES.................................................. 34

ATTRIBUTION AND STATE-SPONSORSHIP ......................................... 34

BIBLIOGRAPHY ........................................................................................37

APPENDIX I: DATA LISTINGS.................................................................. 38

About F-secure ....................................................................................... 43

This whitepaper explores the tools - such as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, etc- of the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

F-Secure Whitepaper, September 2015

3

EXECUTIVE SUMMARY

The Dukes are a well-resourced, highly dedicated and organized cyberespionage group

that we believe has been working for the Russian Federation since at least 2008 to collect

intelligence in support of foreign and security policy decision-making.

The Dukes primarily target Western governments and related organizations, such as government

ministries and agencies, political think tanks, and governmental subcontractors. Their targets have

also included the governments of members of the Commonwealth of Independent States; Asian,

African, and Middle Eastern governments; organizations associated with Chechen extremism; and

Russian speakers engaged in the illicit trade of controlled substances and drugs.

The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke,

CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke,

and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale

spear-phishing campaigns against hundreds or even thousands of recipients associated with

governmental institutions and affiliated organizations.

These campaigns utilize a smash-and-grab approach involving a fast but noisy break- in followed

by the rapid collection and exfiltration of as much data as possible. If the compromised target

is discovered to be of value, the Dukes will quickly switch the toolset used and move to using

stealthier tactics focused on persistent compromise and long-term intelligence gathering.

In addition to these large-scale campaigns, the Dukes continuously and concurrently engage

in smaller, much more targeted campaigns, utilizing

different toolsets. These targeted campaigns have been

going on for at least 7 years. The targets and timing of

these campaigns appear to align with the known foreign

and security policy interests of the Russian Federation at

those times.

The Dukes rapidly react to research being published

about their toolsets and operations. However, the

group (or their sponsors) value their operations so

highly that though they will attempt to modify their

tools to evade detection and regain stealth, they will not cease operations to do so, but will instead

incrementally modify their tools while continuing apparently as previously planned.

In some of the most extreme cases, the Dukes have been known to engage in campaigns with

unaltered versions of tools that only days earlier have been brought to the public’s attention by

security companies and actively mentioned in the media. In doing so, the Dukes show unusual

confidence in their ability to continue successfully compromising their targets even when their

tools have been publicly exposed, as well as in their ability to operate with impunity.

the Dukes show unusual confidence in their ability to continue successfully compromising their targets [...], as well as in their ability to operate with impunity.


4

THE STORY OF THE DUKES

The story of the Dukes, as it is currently known, begins with a malware toolset that we call

PinchDuke. This toolset consists of multiple loaders and an information-stealer trojan.

Importantly, PinchDuke trojan samples always contain a notable text string, which we

believe is used as a campaign identifier by the Dukes group to distinguish between multiple

attack campaigns that are run in parallel. These campaign identifiers, which frequently

specify both the date and target of the campaign, provide us with a tantalizing view into the

early days of the Dukes.

2008: Chechnya

The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke

campaigns from November 2008. These campaigns use PinchDuke samples that were, according

to their compilation timestamps, created on the 5th and 12th of November 2008. The campaign

identifiers found in these two samples are respectively, “alkavkaz.com20081105” and “cihaderi.

net20081112”.

The first campaign identifier, found in the sample compiled on the 5th, references alkavkaz.com,

a domain associated with a Turkish website proclaiming to be the “Chechan [sic] Informational

Center” (image 1, page 5). The second campaign identifier, from the sample compiled on the

12th, references cihaderi.net, another Turkish website that claims to provide “news from the jihad

world” and which dedicates a section of its site to Chechnya.

Due to a lack of other PinchDuke samples from 2008 or earlier, we are unable to estimate when

the Duke operation originally began. Based on our technical analysis of the known PinchDuke

samples from 2008 however, we believe PinchDuke to have been under development by the

summer of 2008.

In fact, we believe that by the autumn of 2008, the Dukes were already developing not one but at

least two distinct malware toolsets. This assertion is based on the oldest currently known sample

of another Duke-related toolset, GeminiDuke, which was compiled on the 26th of January 2009.

This sample, like the early PinchDuke samples, appears to already be a “fully-grown” sample,

which is why we believe GeminiDuke was under development by the autumn of 2008.

That the Dukes were already developing and operating at least two distinct malware toolsets by

the second half of 2008 suggests to us that either the size of their cyberespionage operation was

already large enough to warrant such an arsenal of tools, or that they expected their operation

to grow significantly enough in the foreseeable future to warrant the development of such an

arsenal. We examine each of the Duke toolsets in greater detail later in the Tools and Techniques

section (page 22).


5

Etymology: a note on names

The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs

coined the term “MiniDuke” to identify the first Duke-related malware they found. As explained

in their whitepaper[7], the researchers observed the surprisingly small MiniDuke backdoor being

spread via the same exploit that was being used by a malware that they had already named

ItaDuke; the “Duke” part of this malware’s name had in turn come about because it reminded the

researchers of the notable Duqu threat. Despite the shared history of the name itself however, it is

important to note that there is no reason to believe that the Duke toolsets themselves are in any

way related to the ItaDuke malware, or to Duqu for that matter.

As researchers continued discovering new toolsets that were created and used by the same

group that had been operating MiniDuke, the new toolsets were also given “Duke”-derived

names, and thus the threat actor operating the toolsets started to be commonly referred to

as “the Dukes”. The only other publicly used name for the threat actor that we are aware of is

“APT29”[22].

Some exceptions to this naming convention do exist, and in the case of specific Duke toolsets,

other commonly used names are listed in the Tools and Techniques section (page 22).

CloudDukeHammerDuke

SeaDuke

OnionDukeCozyDuke

CosmicDuke

GeminiDukePinchDuke

MiniDuke

ItaDuke

Duqu

“duke”

“duke”

The Dukes


6

2009: First known campaigns against the West

Based on the campaign identifiers found in PinchDuke samples discovered from 2009, the targets

of the Dukes group during that year included organizations such as the Ministry of Defense of

Georgia and the ministries of foreign affairs of Turkey and Uganda. Campaign identifiers from

2009 also reveal that by that time, the Dukes were already actively interested in political matters

related to the United States (US) and the North Atlantic Treaty Organization (NATO), as they ran

campaigns targeting (among other organizations) a US-based foreign policy think tank, another

set of campaigns related to a NATO exercise held in Europe, and a third set apparently targeting

what was then known as the Georgian “Information Centre on NATO”.

Of these campaigns, two clusters in particular stand out. The first is a set of campaigns from

the 16th and 17th of April, 2009, that targeted a US-based foreign policy think tank, as well as

government institutions in Poland and the Czech Republic (image 1, below). These campaigns

utilized specially-crafted malicious Microsoft Word documents and PDF files, which were sent as

e-mail attachments to various personnel in an attempt to infiltrate the targeted organizations.

We believe this cluster of campaigns had a joint goal of gathering intelligence on the sentiments

of the targeted 5 countries with respect to the plans being discussed at the time for the US to

locate their “European Interceptor Site” missile defense base in Poland, with a related radar station

that was intended to be located in the Czech Republic. Regarding the timing of these campaigns,

it is curious to note that they began only 11 days after President Barack Obama gave a speech on

the 5th of April declaring his intention to proceed with the deployment of these missile defenses [1].

The second notable cluster comprises of two campaigns that were possibly aimed at gathering

information on Georgia-NATO relations. The first of these runs used the campaign identifier

“natoinfo_ge”, an apparent reference to the www.natoinfo.ge website belonging to a Georgian

political body that has since been renamed “Information Centre on NATO and EU”. Although

the campaign identifier itself doesn’t contain a date, we believe the campaign to have originated

around the 7th of June 2009, which was when the PinchDuke sample in question was compiled.

This belief is based on the observation that in all of the other PinchDuke samples we have

analyzed, the date of the campaign identifier has been within a day of the compilation date. The

second campaign identifier, which we suspect may be related, is “mod_ge_2009_07_03” from

a month later and apparently targeting the Ministry of Defense of Georgia.

IMAGE 1: EARLY ACTIVITY FROM 2008 & 2009. Left - Screenshot of alkavkaz.com [2] (circa 2008, preserved by the Internet Archive Wayback Machine), which was referenced in 2008 PinchDuke sample. Right - Decoy document from a 2009 PinchDuke campaign targeting Poland, the Czech Republic and a US think tank. The contents appear to have been copied from a BBC news article [3].


7

2010: The emergence of CosmicDuke in the Caucasus

The spring of 2010 saw continued PinchDuke campaigns against Turkey and Georgia, but also

numerous campaigns against other members of the Commonwealth of Independent States

such as Kazakhstan, Kyrgyzstan, Azerbaijan and Uzbekistan. Of these, the campaign with the

identifier “kaz_2010_07_30”, which possibly targeted Kazakhstan, is of note because it is the last

PinchDuke campaign we have observed. We believe that during the first half of 2010, the Dukes

slowly migrated from PinchDuke and started using a new infostealer malware toolset that we call

CosmicDuke.

The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010. Back

then, CosmicDuke still lacked most of the credential-stealing functionality found in later samples.

We believe that during the spring of 2010, the credential and file stealing capabilities of PinchDuke

were slowly ported to CosmicDuke, effectively making PinchDuke obsolete.

During this period of transition, CosmicDuke would often embed PinchDuke so that, upon

execution, CosmicDuke would write to disk and execute PinchDuke. Both PinchDuke and

CosmicDuke would then operate independently on the same compromised host, including

performing separate information gathering, data exfiltration and communication with a

command and control (C&C) server - although both malware would often use the same C&C

server. We believe the purpose of this parallel use was to ‘fieldtest’ the new CosmicDuke tool,

while at the same time ensuring operational success with the tried-and-tested PinchDuke.

During this period of CosmicDuke testing and development, the Duke authors also started

experimenting with the use of privilege escalation vulnerabilities. Specifically, on the 19th of

January 2010 security researcher Tavis Ormandy disclosed a local privilege escalation vulnerability

(CVE-2010-0232) affecting Microsoft Windows. As part of the disclosure, Ormandy also included

the source code for a proof-of- concept exploit for the vulnerability [4]. Just 7 days later, on the

26th of January, a component for CosmicDuke was compiled that exploited the vulnerability and

allowed the tool to operate with higher privileges.

ONE LOADER TO LOAD THEM ALL (ALMOST)

In addition to all the other components being produced by the Dukes group, in 2010 they were also actively developing and testing a new loader - a component that wraps the core malware code and provides an additional layer of obfuscation.

The first sample of this loader was compiled on the 26th of July 2010, making it a direct predecessor of what has since become known as the “MiniDuke loader”, as later versions were extensively used by both MiniDuke and CosmicDuke.

Some hints about the history of the “MiniDuke loader” were noted in the CosmicDuke whitepaper

we published [5] in 2014, where we observed that the loader appeared to have been in use with CosmicDuke before it was used with MiniDuke. In fact, we now know that before being used with either, the “MiniDuke loader” was used to load PinchDuke. The first known sample of the loader was used during the summer of 2010, while the most recent samples were seen during the spring of 2015.

This neatly ties together many of the tools used by the Dukes group, as versions of this one loader have been used to load malware from three different Dukes-related toolsets – CosmicDuke, PinchDuke, and MiniDuke – over the course of five years.


8

2011: John Kasai of Klagenfurt, Austria

During 2011, the Dukes appear to have significantly expanded both their arsenal of malware

toolsets and their C&C infrastructure. While the Dukes employed both hacked websites and

purposely rented servers for their C&C infrastructure, the group rarely registered their own

domain names, preferring instead to connect to their self- operated servers via IP addresses.

The beginning of 2011 however saw a significant break from that routine, when a large grouping

of domain names was registered by the Dukes in two batches; the first batch was registered on

the 29th of January and the second on the 13th of February. All the domains in both batches were

initially registered with the same alias: “John Kasai of Klagenfurt, Austria” (image 2, above). These

domains were used by the Dukes in campaigns involving many of their different malware toolsets

all the way until 2014. Like the “MiniDuke loader”, these “John Kasai” domains also provide a

common thread tying together much of the tools and infrastructure of the Dukes.

IMAGE 2: COMPARING WHOIS REGISTRATION DETAILS. Left - Original whois registration details for natureinhome.com, one of the Duke C&C server domains registered on the 29th of January, 2011 to “John Kasai”. Right - Details for the domain were later changed, providing a small glimpse of the Dukes’ sense of humor.

2011: Continuing expansion of the Dukes arsenal

By 2011, the Dukes had already developed at least 3 distinct malware toolsets, including a plethora

of supporting components such as loaders and persistence modules. In fact, as a sign of their

arsenal’s breadth, they had already decided to retire one of these malware toolsets as obsolete

after developing a replacement for it, seemingly from scratch.

The Dukes continued the expansion of their arsenal in 2011 with the addition of two more

toolsets: MiniDuke and CozyDuke. While all of the earlier toolsets – GeminiDuke, PinchDuke, and

CosmicDuke – were designed around a core infostealer component, MiniDuke is centered on a

simplistic backdoor component whose purpose is to enable the remote execution of commands

on the compromised system. The first observed samples of the MiniDuke backdoor component

are from May 2011. This backdoor component however is technically very closely related to

GeminiDuke, to the extent that we believe them to share parts of their source code. The origins

of MiniDuke can thus be traced back to the origins of GeminiDuke, of which the earliest observed

sample was compiled in January of 2009.


9

Unlike the simplistic MiniDuke toolset, CozyDuke is a highly versatile, modular, malware

“platform” whose functionality lies not in a single core component but in an array of modules

that it may be instructed to download from its C&C server. These modules are used to selectively

provide CozyDuke with just the functionality deemed necessary for the mission at hand.

CozyDuke’s modular platform approach is a clear break from the designs of the previous Duke

toolsets.

The stylistic differences between CozyDuke and its older siblings are further exemplified by the

way it was coded. All of the 4 previously mentioned toolsets were written in a minimalistic style

commonly seen with malware; MiniDuke even goes as far as having many components written

in Assembly language. CozyDuke however represents the complete opposite. Instead of being

written in Assembly or C, it was written in C++ , which provides added layers of abstraction for the

developer’s perusal, at the cost of added complexity.

Contrary to what might be expected from malware, early CozyDuke versions also lacked any

attempt at obfuscating or hiding their true nature. In fact, they were extremely open and verbose

about their functionality - for example, early samples contained a plethora of logging messages in

unencrypted form. In comparison, even the earliest known GeminiDuke samples encrypted any

strings that might have given away the malware’s true nature.

Finally, early CozyDuke versions also featured other elements that one would associate more with

a traditional software development project than with malware. For instance, the earliest known

CozyDuke version utilized a feature of the Microsoft Visual C++ compiler known as run-time

error checking. This feature added automatic error checking to critical parts of the program’s

execution at the cost, from a malware perspective, of providing additional hints that make the

malware’s functionality easier for reverse engineers to understand.

Based on these and other similar stylistic differences observed between CozyDuke and its older

siblings, we speculate that while the older Duke families appear to be the work of someone with

a background in malware writing (or at the least in hacking), CozyDuke’s author or authors more

likely came from a software development background.


10

2012: Hiding in the shadows

We still know surprisingly few specifics about the Dukes group’s activities during 2012. Based

on samples of Duke malware from 2012, the Dukes do appear to have continued actively using

and developing all of their tools. Of these, CosmicDuke and MiniDuke appear to have been in

more active use, while receiving only minor updates. GeminiDuke and CozyDuke on the other

hand appear to have been less used in actual operations, but did undergo much more significant

development.

IMAGE 3: MINIDUKE DECOY. One of the Ukraine-themed decoy documents used during a MiniDuke campaign in February 2013.

2013: MiniDuke flies too close to the sun

On the 12th of February 2013, FireEye published a blogpost[6] alerting readers to a combination

of new Adobe Reader 0-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641, that were being

actively exploited in the wild. 8 days after FireEye’s initial alert, Kaspersky spotted the same exploit

being used to spread an entirely different malware family from the one mentioned in the original

report. On 27th February, Kaspersky [7] and CrySyS[8] Lab published research on this previously

unidentified malware family, dubbing it MiniDuke.

As we now know, by February 2013 the Dukes group had been operating MiniDuke and other

toolsets for at least 4 and a half years. Their malware had not stayed undetected for those 4 and a

half years. In fact, in 2009 a PinchDuke sample had been included in the malware set used by the

AV-Test security product testing organization to perform anti-virus product comparison reviews.

Until 2013 however, earlier Duke toolsets had not been put in a proper context. That finally started

to change in 2013.


11

The MiniDuke samples that were spread using these exploits were compiled on the 20th of

February, after the exploit was already publicly known. One might argue that since this took

place after the exploits were publicly mentioned, the Dukes simply copied them. We however do

not believe so. As mentioned by Kaspersky, even though the exploits used for these MiniDuke

campaigns were near-identical to those described by FireEye, there were nevertheless small

differences. Of these, the crucial one is the presence of PDB strings in the MiniDuke exploits.

These strings, which are generated by the compiler when using specific compilation settings,

means that the components of the exploits used with MiniDuke had to have been compiled

independently from those described by FireEye.

We do not know whether the Dukes compiled the components themselves or whether someone

else compiled the components before handing them to the group. This does however still rule

out the possibility that the Dukes simply obtained copies of the exploit binaries described by

FireEye and repurposed them.

In our opinion, this insistence on using exploits that are already under heightened scrutiny

suggests the existence of at least one of three circumstances. Firstly, the Dukes may have been

confident enough in their own abilities (and in the slowness of their opponents to react to new

threats) that they did not care if their targets may already be on the lookout for anyone exploiting

these vulnerabilities. Secondly, the value the Dukes intended to gain from these MiniDuke

campaigns may have been so great that they deemed it worth the risk of getting noticed. Or

thirdly, the Dukes may have invested so much into these campaigns that by the time FireEye

published their alert, the Dukes felt they could not afford to halt the campaigns.

We believe all three circumstances to have coexisted at least to some extent. As will become

evident in this report, this was not a one-off case but a recurring theme with the Dukes, in that

they would rather continue with their operations as planned than retreat from operating under

the spotlight.

As originally detailed in Kaspersky’s whitepaper, the MiniDuke campaigns from February 2013

employed spear-phishing emails with malicious PDF file attachments. These PDFs would attempt

to silently infect the recipient with MiniDuke, while distracting them by displaying a decoy

document. The headings of these documents included “Ukraine’s NATO Membership Action Plan

(MAP) Debates”, “The Informal Asia-Europe Meeting (ASEM) Seminar on Human Rights”, and

“Ukraine’s Search for a Regional Foreign Policy” (image 3, page 8). The targets of these campaigns,

according to Kaspersky, were located variously in Belgium, Hungary, Luxembourg and Spain [7].

Kaspersky goes on to state that by obtaining log files from the MiniDuke command and control

servers, they were able to identify high-profile victims from Ukraine, Belgium, Portugal, Romania,

the Czech Republic, Ireland, the United States and Hungary [7].


12

IMAGE 4: ONIONDUKE-TROJANIZED TORRENT FILE. Example of a torrent file containing an executable trojanized with the OnionDuke toolset.

2013: The curious case of OnionDuke

After the February campaigns, MiniDuke activity appeared to quiet down, although it did not

fully stop, for the rest of 2013. The Dukes group as a whole however showed no sign of slowing

down. In fact, we saw yet another Duke malware toolset, OnionDuke, appear first in 2013. Like

CozyDuke, OnionDuke appears to have been designed with versatility in mind, and takes a

similarly modular platform approach. The OnionDuke toolset includes various modules for

purposes such as password stealing, information gathering, denial of service (DoS) attacks, and

even posting spam to the Russian social media network, VKontakte. The OnionDuke toolset

also includes a dropper, an information stealer variant and multiple distinct versions of the core

component that is responsible for interacting with the various modules.

What makes OnionDuke especially curious is an infection vector it began using during the

summer of 2013. To spread the toolset, the Dukes used a wrapper to combine OnionDuke with

legitimate applications, created torrent files containing these trojanized applications, then

uploaded them to websites hosting torrent files (image 4, above). Victims who used the torrent

files to download the applications would end up getting infected with OnionDuke.

For most of the OnionDuke components we observed, the first versions that we are aware of were

compiled during the summer of 2013, suggesting that this was a period of active development

around this toolset. Critically however, the first sample of the OnionDuke dropper, which we have

observed being used only with components of this toolset, was compiled on the 17th of February

2013. This is significant because it suggests that OnionDuke was under development before any

part of the Duke operation became public. OnionDuke’s development therefore could not have

been simply a response to the outing of one of the other Duke malware, but was instead intended

for use alongside the other toolsets. This indication that the Dukes planned to use an arsenal of 5

malware toolsets in parallel suggests that they were operating with both significant resources and

capacity.


13

2013: The Dukes and Ukraine

In 2013, many of the decoy documents employed by the Dukes in their campaigns were related

to Ukraine; examples include a letter undersigned by the First Deputy Minister for Foreign Affairs

of Ukraine, a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of

Foreign affairs and a document titled “Ukraine’s Search for a Regional Foreign Policy”. [9]

These decoy documents however were written before the start of the November 2013

Euromaidan protests in Ukraine and the subsequent upheaval. It is therefore important to note

that, contrary to what might be assumed, we have actually observed a drop instead of an increase

in Ukraine-related campaigns from the Dukes following the country’s political crisis.

This is in stark contrast to some other suspected Russian threat actors (such as Operation Pawn

Storm [10]) who appear to have increased their targeting of Ukraine following the crisis. This

supports our analysis that the overarching theme in the Dukes’ targeting is the collection of

intelligence to support diplomatic efforts. The Dukes actively targeted Ukraine before the crisis,

at a time when Russia was still weighing her options, but once Russia moved from diplomacy to

direct action, Ukraine was no longer relevant to the Dukes in the same way.

IMAGE 5: COSMICDUKE DECOY. Screenshot of a decoy document appearing to be an order for growth hormones, which was used in a CosmicDuke campaign in September 2013.

2013: CosmicDuke’s war on drugs

In a surprising turn of events, in September 2013 a CosmicDuke campaign was observed targeting

Russian speakers involved in the trade of illegal and controlled substances (image 5, above).

Kaspersky Labs, who sometimes refer to CosmicDuke as ‘Bot Gen Studio’, speculated that

“one possibility is that ‘Bot Gen Studio’ is a malware platform also available as a so-called ‘legal

spyware’ tool”; therefore, those using CosmicDuke to target drug dealers and those targeting

governments are two separate entities [11]. We however feel it is unlikely that the CosmicDuke

operators targeting drug dealers and those targeting governments could be two entirely

independent entities. A shared supplier of malware would explain the overlap in tools, but it

would not explain the significant overlap we have also observed in operational techniques related

to command and control infrastructure. Instead, we feel the targeting of drug dealers was a new

task for a subset of the Dukes group, possibly due to the drug trade’s relevance to security policy

issues. We also believe the tasking to have been temporary, because we have not observed any

further similar targeting from the Dukes after the spring of 2014.


14

2014: MiniDuke’s rise from the ashes

While MiniDuke activity decreased significantly during the rest of 2013 following the attention it

garnered from researchers, the beginning of 2014 saw the toolset back in full force. All MiniDuke

components, from the loader and downloader to the backdoor, had been slightly updated and

modified during the downtime. Interestingly, the nature of these modifications suggests that

their primary purpose was to regain the element of stealth and undetectability that had been lost

almost a year earlier.

Of these modifications, arguably the most important were the ones done to the loader. These

resulted in a loader version that would later become known as the “Nemesis Gemina loader” due

to PDB strings found in many of the samples. It is however still only an iteration on earlier versions

of the MiniDuke loader.

The first observed samples of the Nemesis Gemina loader (compiled on 14th December 2013) were

used to load the updated MiniDuke backdoor, but by the spring of 2014 the Nemesis Gemina

loader was also observed in use with CosmicDuke.

2014: CosmicDuke’s moment of fame and the scramble that ensued

Following the MiniDuke expose, CosmicDuke in turn got its moment of fame when F-Secure

published a whitepaper about it on 2nd July 2014 [5]. The next day, Kaspersky also published

their own research on the malware [11]. It should be noted that until this point, even though

CosmicDuke had been in active use for over 4 years, and had undergone minor modifications

and updates during that time, even the most recent CosmicDuke samples would often embed

persistence components that date back to 2012. These samples would also contain artefacts of

functionality from the earliest CosmicDuke samples from 2010.

It is therefore valuable to observe how the Dukes reacted to CosmicDuke’s outing at the

beginning of July. By the end of that month, CosmicDuke samples we found that had been

compiled on the 30th of July had shed unused parts of their code that had essentially just

been relics of the past. Similarly, some of the hardcoded values that had remained unaltered in

CosmicDuke samples for many years had been changed. We believe these edits were an attempt

at evading detection by modifying or removing parts of the toolset that the authors believed

might be helpful in identifying and detecting it.

Concurrently with the alterations to CosmicDuke, the Dukes were also hard at work modifying

their trusted loader. Much like the CosmicDuke toolset, the loader used by both MiniDuke and

CosmicDuke had previously only undergone one major update (the Nemesis Gemina upgrade)

since the first known samples from 2010. Again, much of the modification work focused on

removing redundant code in an attempt to appear different from earlier versions of the loader.

Interestingly however, another apparent evasion trick was also attempted - forging of the loaders’

compilation timestamps.


15

The first CosmicDuke sample we observed after the initial research on CosmicDuke was a

sample compiled on the 30th of July 2014. The loader used by the sample purported to have

been compiled on the 25th of March 2010. Due to artefacts left in the loader during compilation

time however, we know that it used a specific version of the Boost library, 1.54.0, that was only

published on the 1st of July 2013 [12]. The compilation timestamp therefore had to have been

faked. F-Secure’s whitepaper[5] on CosmicDuke includes a timeline of the loader’s usage, based

on compilation timestamps. Perhaps the Dukes group thought that by faking a timestamp from

before the earliest one cited in the whitepaper, they might be able to confuse researchers.

During the rest of 2014 and the spring of 2015, the Dukes continued making similar evasion-

focused modifications to CosmicDuke, as well as experimenting with ways to obfuscate the

loader. In the latter case however, the group appear to have also simultaneously developed an

entirely new loader, which we first observed being used in conjunction with CosmicDuke during

the spring of 2015.

While it is not surprising that the Dukes reacted to multiple companies publishing extensive

reports on one of their key toolsets, it is valuable to note the manner in which they responded.

Much like the MiniDuke expose in February 2013, the Dukes again appeared to prioritize

continuing operations over staying hidden. They could have ceased all use of CosmicDuke

(at least until they had developed a new loader) or retired it entirely, since they still had other

toolsets available. Instead, they opted for minimal downtime and attempted to continue

operations, with only minor modifications to the toolset.

2014: CozyDuke and monkey videos

While we now know that CozyDuke had been under development since at least the end of 2011, it

was not until the early days of July 2014 that the first large-scale CozyDuke campaign that we are

aware of took place. This campaign, like later CozyDuke campaigns, began with spear-phishing

emails that tried to impersonate commonly seen spam emails. These spear-phishing emails would

contain links that eventually lead the victim to becoming infected with CozyDuke.

Some of the CozyDuke spear-phishing emails from early July posed as e-fax arrival notifications,

a popular theme for spam emails, and used the same “US letter fax test page” decoy document

that was used a year later by CloudDuke. In at least one case however, the email instead contained

a link to a zip-archive file named “Office Monkeys LOL Video.zip”, which was hosted on the

DropBox cloud storage service. What made this particular case interesting was that instead of the

usual dull PDF file, the decoy was a Flash video file, more specifically a Super Bowl advertisement

from 2007 purporting to show monkeys at an office (image 6, page 16).


16

IMAGE 6: COZYDUKE DECOYS. Left - US letter fax test decoy used in CozyDuke campaigns Right - Screenshot of the monkey video decoy also used by CozyDuke

2014: OnionDuke gets caught using a malicious Tor node

On the 23rd of October 2014, Leviathan Security Group published a blog post describing a

malicious Tor exit node they had found. They noted that this node appeared to be maliciously

modifying any executables that were downloaded through it over a HTTP connection. Executing

the modified applications obtained this way would result in the victim being infected with

unidentified malware. On the 14th of November, F-Secure published a blog post naming the

malware OnionDuke and associating it with MiniDuke and CosmicDuke, the other Duke toolsets

known at the time [13].

Based on our investigations into OnionDuke, we believe that for about 7 months, from April 2014

to when Leviathan published their blog post in October 2014, the Tor exit node identified by

the researchers was being used to wrap executables on-the-fly with OnionDuke (image 7, page

13). This is similar to the way in which the toolset was being spread via trojanized applications in

torrent files during the summer of 2013.

While investigating the OnionDuke variant being spread by the malicious Tor node, we also

identified another OnionDuke variant that appeared to have successfully compromised multiple

victims in the ministry of foreign affairs of an Eastern European country during the spring of 2014.

This variant differed significantly in functionality from the one being spread via the Tor node,

further suggesting that different OnionDuke variants are intended for different kinds of victims.

We believe that, unusually, the purpose of the OnionDuke variant spread via the Tor node was

not to pursue targeted attacks but instead to form a small botnet for later use. This OnionDuke

variant is related to the one seen during the summer of 2013 being spread via torrent files. Both

of these infection vectors are highly indiscriminate and untargeted when compared to spear-

phishing, the usual infection vector of choice for the Dukes.


17

ONIONDUKE DROPPER

ONIONDUKE CORE COMPONENT

ONIONDUKE DROPPER



Drops

Drops Drops

Original binary

Original binary

Original binary

Executes

MALICIOUS TOR EXIT

NODE

VICTIMRequest

ResponseWrapped binary

MONGOLIA326

23%INDIA

26019%

OTHER235

17%

UNKNOWN1007% PAKISTAN

645%

MOROCCO62

4%

ALGERIA58

4%

28421%

3% EACH

2% EACH

1% EACH

EGYPT, 43

USA, 39

TURKEY, 38

INDONESIA, 34

SAUDI ARABIA, 25

BRAZIL, 22

PHILIPPINESS, 16

SRI LANKA, 15

BANGLADESH, 14

NEPAL, 13

CAMBODIA, 13

CHINA, 12

IMAGE 7: FLOWCHART OF HOW ONIONDUKE USES MALICIOUS TOR NODE TO INFECT VICTIMS.

IMAGE 8: GEOGRAPHICAL DISTRIBUTION OF ONIONDUKE BOTNET.

TOTAL: 1389


18

Further, the functionality of the OnionDuke variant is derived from a number of modules. While

one of these modules gathers system information and another attempts to steal the victim’s

usernames and passwords, as one would expect from a malware used for a targeted attack, the

other two known OnionDuke modules are quite the opposite; one is designed for use in DoS

attacks and the other for posting predetermined messages to the Russian VKontakte social

media site. This sort of functionality is more common in criminality-oriented botnets, not state-

sponsored targeted attacks.

We have since been able to identify at least two separate OnionDuke botnets. We believe the

formation of the first of these botnets began in January 2014, using both unidentified infection

vectors and the known malicious Tor node, and continued until our blogpost was published in

November. We believe the formation of the second botnet began in August 2014 and continued

until January 2015. We have been unable to identify the infection vectors used for this second

botnet, but the C&C servers it used had open directory listings, allowing us to retrieve files

containing listings of victim IP addresses. The geographic distribution of these IP addresses

(image 8, page 13) further supports our theory that the purpose of this OnionDuke variant was not

targeted attacks against high-profile targets.

One theory is that the botnets were a criminal side business for the Dukes group. The size of the

botnet however (about 1400 bots) is very small if its intended use is for commercial DoS attacks

or spam-sending. Alternatively, OnionDuke also steals user credentials from its victims, providing

another potential revenue source. The counter to that argument however is that the value of

stolen credentials from users in the countries with the highest percentage of OnionDuke bots

(Mongolia and India) are among the lowest on underground markets.

IMAGE 9: ONIONDUKE C&C TWEET. Screenshot of a tweet intended for OnionDuke, with a link pointing to an image file that embeds an updated version of OnionDuke.

2015: The Dukes up the ante

The end of January 2015 saw the start of the most high- volume Duke campaign seen thus far, with

thousands of recipients being sent spear-phishing emails that contained links to compromised

websites hosting CozyDuke. Curiously, the spear-phishing emails were strikingly similar to the

e-fax themed spam usually seen spreading ransomware and other common crimeware. Due to

the sheer number of recipients, it may not have been possible to customize the emails in the

same way as was possible with lower-volume campaigns.


19

The similarity to common spam may however also serve a more devious purpose. It is easy to

imagine a security analyst, burdened by the amount of attacks against their network, dismissing

such common-looking spam as “just another crimeware spam run”, allowing the campaign to, in

essence, hide in the masses [14].

The CozyDuke activity continues one of the long-running trends of the Dukes operations, the

use of multiple malware toolsets against a single target. In this case, the Dukes first attempted

to infect large numbers of potential targets with CozyDuke (and in a more obvious manner than

previously seen). They would then use the toolset to gather initial information on the victims,

before deciding which ones to pursue further. For the victims deemed interesting enough, the

Dukes would then deploy a different toolset.

We believe the primary purpose of this tactic is an attempt at evading detection in the targeted

network. Even if the noisy initial CozyDuke campaign is noticed by the victim organization, or

by someone else who then makes it publicly known, defenders will begin by first looking for

indicators of compromise (IOCs) related to the CozyDuke toolset. If however by that time the

Dukes are already operating within the victim’s network, using an another toolset with different

IOCs, then it is reasonable to assume that it will take much longer for the victim organization to

notice the infiltration.

In previous cases, the group used their malware toolsets interchangeably, as either the initial or

a later-stage toolset in a campaign. For these CozyDuke campaigns however, the Dukes appear

to have employed two particular later-stage toolsets, SeaDuke and HammerDuke, that were

purposely designed to leave a persistent backdoor on the compromised network. HammerDuke

is a set of backdoors that was first seen in the wild in February 2015, while SeaDuke is a cross-

platform backdoor that was, according to Symantec, first spotted in the wild in October 2014 [15].

Both toolsets were originally spotted being deployed by CozyDuke to its victims.

What makes SeaDuke special is that it was written in Python and designed to work on both

Windows and Linux systems; it is the first cross-platform tool we have seen from the Dukes. One

plausible reason for developing such a flexible malware might be that the group were increasingly

encountering victim environments where users were using Linux as their desktop operating

system.

Meanwhile, HammerDuke is a Windows-only malware (written in .NET) and comes in two variants.

The simpler one will connect to a hardcoded C&C server over HTTP or HTTPS to download

commands to execute. The more advanced variant, on the other hand, will use an algorithm to

generate a periodically-changing Twitter account name and will then attempt to find tweets

from that account containing links to the actual download location of the commands to execute.

In this way, the advanced HammerDuke variant attempts to hide its network traffic in more

legitimate use of Twitter. This method is not unique to HammerDuke, as MiniDuke, OnionDuke,

and CozyDuke all support similar use of Twitter (image 9, page 18) to retrieve links to additional

payloads or commands.


20

2015: CloudDuke

In the beginning of July 2015, the Dukes embarked on yet another large-scale phishing campaign.

The malware toolset used for this campaign was the previously unseen CloudDuke and we believe

that the July campaign marks the first time that this toolset was deployed by the Dukes, other

than possible small-scale testing.

The CloudDuke toolset consists of at least a loader, a downloader, and two backdoor

variants. Both backdoors (internally referred to by their authors as “BastionSolution” and

“OneDriveSolution”) essentially allow the operator to remotely execute commands on the

compromised machine. The way in which each backdoor does so however is significantly

different. While the BastionSolution variant simply retrieves commands from a hard-coded

C&C server controlled by the Dukes, the OneDriveSolution utilizes Microsoft’s OneDrive cloud

storage service for communicating with its masters, making it significantly harder for defenders

to notice the traffic and block the communication channel. What is most significant about the

July 2015 CloudDuke campaign is the timeline. The campaign appeared to consist of two distinct

waves of spear-phishing, one during the first days of July and the other starting from the 20th

of the month. Details of the first wave, including a thorough technical analysis of CloudDuke,

was published by Palo Alto Networks on 14th July [16]. This was followed by additional details from

Kaspersky in a blog post published on 16th July [17].

Both publications happened before the second wave took place and received notable publicity.

Despite the attention and public exposure of the toolset’s technical details (including IOCs) to

defenders, the Dukes still continued with their second wave of spear-phishing, including the

continued use of CloudDuke. The group did change the contents of the spear-phishing emails

they sent, but they didn’t switch to a new email format; instead, they reverted to the same efax-

themed format that they had previously employed, even to the point of reusing the exact same

decoy document that they had used in the CozyDuke campaign a year earlier (July 2014).

This once more highlights two crucial behavioral elements of the Dukes group. Firstly, as with

the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014,

again the group clearly prioritized the continuation of their operations over maintaining stealth.

Secondly, it underlines their boldness, arrogance and self-confidence; they are clearly confident

in both their ability to compromise their targets even when their tools and techniques are already

publicly known, and critically, they appear to be extremely confident in their ability to act with

impunity.


21

2015: Continuing surgical strikes with CosmicDuke

In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke, the

Dukes also continued to engage in more covert, surgical campaigns using CosmicDuke. The latest

of these campaigns that we are aware of occurred during the spring and early summer of 2015.

As their infection vectors, these campaigns used malicious documents exploiting recently fixed

vulnerabilities.

Two of these campaigns were detailed in separate blog posts by the Polish security company

Prevenity, who said that both campaigns targeted Polish entities with spear- phishing emails

containing malicious attachments with relevant Polish language names [18] [19]. A third, similar,

CosmicDuke campaign was observed presumably targeting Georgian entities since it used an

attachment with a Georgian-language name that translates to “NATO consolidates control of the

Black Sea.docx”.

Based on this, we do not believe that the Dukes are replacing their covert and targeted campaigns

with the overt and opportunistic CozyDuke and CloudDuke style of campaigns. Instead, we believe

that they are simply expanding their activities by adding new tools and techniques.

IMAGE 10: TIMELINE OF KNOWN ACTIVITY FOR THE VARIOUS DUKE TOOLKITS.

2009

2010

2011

2012

2013

2014

2015

PinchDuke

GeminiDuke

CosmicDukeMiniDuke

Loader

Backdoor

CozyDuke

OnionDuke

SeaDuke

HammerDukeCloudDuke

TOOLKITS

YEAR

First known activity

Most recent known activity

LEGEND

2008


22

PINCHDUKE

First known activity November 2008

Most recent known activity Summer 2010

Other names N/A

C&C communication methods HTTP (S)

Known toolset components ◊ Multiple loaders

◊ Information stealer

TOOLS AND TECHNIQUES OF THE DUKES

The PinchDuke toolset consists of multiple loaders and a core information stealer trojan.

The loaders associated with the PinchDuke toolset have also been observed being used with

CosmicDuke.

The PinchDuke information stealer gathers system configuration information, steals user

credentials, and collects user files from the compromised host transferring these via HTTP(S) to a

C&C server. We believe PinchDuke’s credential stealing functionality is based on the source code

of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early

2000s and has later been openly distributed on underground forums.

Credentials targeted by PinchDuke include ones associated with the following software or

services:

• The Bat!

• Yahoo!

• Mail.ru

• Passport.Net

• Google Talk

• Netscape Navigator

• Mozilla Firefox

• Mozilla Thunderbird

• Internet Explorer

• Microsoft Outlook

• WinInet Credential Cache

• Lightweight Directory Access Protocol (LDAP)


23

GEMINIDUKE

First known activity January 2009

Most recent known activity December 2012

Other names N/A


Known toolset components ◊ Loader


◊ Multiple persistence components

PinchDuke will also search for files that have been created within a predefined timeframe and

whose file extension is present in a predefined list.

As a curiosity, most PinchDuke samples contain a Russian language error message:“Ошибка названия модуля! Название секции данных должно быть 4 байта!”

Which roughly translates to: “There is an error in the module’s name! The length of the data

section name must be 4 bytes!”

The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-

related components. Unlike CosmicDuke and PinchDuke, GeminiDuke primarily collects

information on the victim computer’s configuration. The collected details include:

• Local user accounts

• Network settings

• Internet proxy settings

• Installed drivers

• Running processes

• Programs previously executed by users

• Programs and services configured to automatically run at startup

• Values of environment variables

• Files and folders present in any users home folder

• Files and folders present in any users My Documents

• Programs installed to the Program Files folder

• Recently accessed files, folders and programs


24

As is common for malware, the GeminiDuke infostealer uses a mutex to ensure that only one

instance of itself is running at a time. What is less common is that the name used for the mutex

is often a timestamp. We believe these timestamps to be generated during the compilation of

GeminiDuke from the local time of the computer being used.

Comparing the GeminiDuke compilation timestamps, which always reference the time in the

UTC+0 timezone, with the local time timestamps used as mutex names, and adjusting for the

presumed timezone difference, we note that all of the mutex names reference a time and date

that is within seconds of the respective sample’s compilation timestamp. Additionally, the

apparent timezone of the timestamps in all of the GeminiDuke samples compiled during the

winter is UTC+3, while for samples compiled during the summer, it is UTC+4.

The observed timezones correspond to the pre-2011 definition of Moscow Standard Time (MSK) [20], which was UTC+3 during the winter and UTC+4 during the summer. In 2011 MSK stopped

following Daylight Saving Time (DST) and was set to UTC+4 year-round, then reset to UTC +3 year-

round in 2014. Some of the observed GeminiDuke samples that used timestamps as mutex names

were compiled while MSK still respected DST and for these samples, the timestamps perfectly

align with MSK as it was defined at the time.

Map of timezones in Russia; © Eric Muller [23] Pink: MSK (UTC +3) ; Orange: UTC +4

However, GeminiDuke samples compiled after MSK was altered still vary the timezone between

UTC+3 in the winter and UTC+4 during the summer. While computers using Microsoft Windows

automatically adjust for DST, changes in timezone definitions require that an update to Windows

be installed. We therefore believe that the Dukes group simply failed to update the computer

they were using to compile GeminiDuke samples, so that the timestamps seen in later samples

still appear to follow the old definition of Moscow Standard Time.

The GeminiDuke infostealer has occasionally been wrapped with a loader that appears to be

unique to GeminiDuke and has never been observed being used with any of the other Duke

toolsets. GeminiDuke also occasionally embeds additional executables that attempt to achieve

persistence on the victim computer. These persistence components appear to be uniquely

customized for use with GeminiDuke, but they use many of the same techniques as CosmicDuke

persistence components.


25

COSMICDUKE



Other namesTinybaron, BotgenStudios,

NemesisGemina

C&C communication methods HTTP (S), FTP, WebDav

Known toolset components◊ Information stealer

◊ Multiple loaders

◊ Privilege escalation component


The CosmicDuke toolset is designed around a main information stealer component. This

information stealer is augmented by a variety of components that the toolset operators may

selectively include with the main component to provide additional functionalities, such as

multiple methods of establishing persistence, as well as modules that attempt to exploit privilege

escalation vulnerabilities in order to execute CosmicDuke with higher privileges. CosmicDuke’s

information stealing functionality includes:

• Keylogging

• Taking screenshots

• Stealing clipboard contents

• Stealing user files with file extensions that match a predefined list

• Exporting the users cryptographic certificates including private keys

• Collecting user credentials, including passwords, for a variety of popular chat and email

programs as well as from web browsers

CosmicDuke may use HTTP, HTTPS, FTP or WebDav to exfiltrate the collected data to a hardcoded

C&C server.

While we believe CosmicDuke to be an entirely custom- written toolset with no direct sharing

of code with other Duke toolsets, the high-level ways in which many of its features have been

implemented appear to be shared with other members of the Duke arsenal.

Specifically, the techniques CosmicDuke uses to extract user credentials from targeted software

and to detect the presence of analysis tools appear to be based on the techniques used by

PinchDuke. Likewise, many of CosmicDuke’s persistence components use techniques also used

by components associated with GeminiDuke and CozyDuke. In all of these cases, the techniques

are the same, but the code itself has been altered to work with the toolset in question, leading to

small differences in the final implementation.


26

A few of the CosmicDuke samples we discovered also included components that attempt to

exploit either of the publicly known CVE-2010-0232 or CVE-2010- 4398 privilege escalation

vulnerabilities. In the case of CVE-2010-0232, the exploit appears to be based directly on the

proof of concept code published by security researcher Tavis Ormandy when he disclosed the

vulnerability [4]. We believe that the exploit for CVE- 2010-4398 was also based on a publicly

available proof of concept [21].

In addition to often embedding persistence or privilege escalation components, CosmicDuke has

occasionally embedded PinchDuke, GeminiDuke, or MiniDuke components. It should be noted

that CosmicDuke does not interoperate with the second, embedded malware in any way other

than by writing the malware to disk and executing it. After that, CosmicDuke and the second

malware operate entirely independently of each other, including separately contacting their C&C

servers. Sometimes, both malware have used the same C&C server, but in other cases, even the

servers have been different.

Finally, it is worth noting that while most of the compilation timestamps for CosmicDuke samples

appear to be authentic, we are aware of a few cases of them being forged. One such case was

detailed on page 10 as an apparent evasion attempt. Another is a loader variant seen during the

spring of 2010 in conjunction with both CosmicDuke and PinchDuke. These loader samples all had

compilation timestamps purporting to be from the 24th or the 25th of September, 2001. However,

many of these loader samples embed CosmicDuke variants that exploit the CVE-2010- 0232

privilege escalation vulnerability thus making it impossible for the compilation timestamps to be

authentic.

Further reading

1. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; https://www.f-

secure.com/ documents/996508/1030745/cosmicduke_ whitepaper.pdf

2. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; https://securelist.

com/blog/ incidents/64107/miniduke-is-back-nemesisgemina-and-the-botgen-studio/

https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf


https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/

https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/


27

The MiniDuke toolset consists of multiple downloader and backdoor components, which are

commonly referred to as the MiniDuke “stage 1”, “stage 2”, and “stage 3” components as per

Kaspersky’s original MiniDuke whitepaper. Additionally, a specific loader is often associated with

the MiniDuke toolset and is referred to as the “MiniDuke loader”.

While the loader has often been used together with other MiniDuke components, it has also

commonly been used in conjunction with CosmicDuke and PinchDuke. In fact, the oldest samples

of the loader that we have found were used with PinchDuke. To avoid confusion however, we have

decided to continue referring to the loader as the “MiniDuke loader”.

Two details about MiniDuke components are worth noting. Firstly, some of the MiniDuke

components were written in Assembly language. While many malware were written in Assembly

during the ‘old days‘ of curiosity-driven virus writing, it has since become a rarity. Secondly, some

of the MiniDuke components do not contain a hardcoded C&C server address, but instead obtain

the address of a current C&C server via Twitter. The use of Twitter either to initially obtain the

address of a C&C server (or as a backup if no hardcoded primary C&C server responds) is a feature

also found in OnionDuke, CozyDuke, and HammerDuke.

Further reading

1. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day

Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; http://kasperskycontenthub.com/

wp-content/ uploads/sites/43/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

2. CrySyS Blog; Miniduke; published 27 February 2013; http://blog.crysys.hu/2013/02/miniduke/

3. Marius Tivadar, Bíró Balázs, Cristian Istrate; BitDefender; A Closer Look at MiniDuke; published April 2013; http://labs.

bitdefender. com/wp-content/uploads/downloads/2013/04/ MiniDuke_Paper_Final.pdf

4. CIRCL - Computer Incident Response Center Luxembourg; Analysis Report (TLP:WHITE) Analysis of a stage 3 Miniduke

sample; published 30 May 2013; https://www.circl.lu/files/tr-14/ circl-analysisreport-miniduke-stage3-public.pdf

5. ESET WeLiveSecurity blog; Miniduke still duking it out; published 20 May 2014; http://www. welivesecurity.

com/2014/05/20/miniduke-still-duking/

MINIDUKE

First known activity• Loader July 2010

• Backdoor May 2011

Most recent known activity• Loader: Spring 2015

• Backdoor: Summer 2014

Other names N/A

C&C communication methods HTTP (S), Twitter

Known toolset components ◊ Downloader

◊ Backdoor

◊ Loader

http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

http://blog.crysys.hu/2013/02/miniduke/

http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf

http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf

https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf

http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/

http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/


28

CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around

a core backdoor component. This component can be instructed by the C&C server to download

and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array

of functionality. Known CozyDuke modules include:

• Command execution module for executing arbitrary Windows Command Prompt commands

• Password stealer module

• NT LAN Manager (NTLM) hash stealer module

• System information gathering module

• Screenshot module

In addition to modules, CozyDuke can also be instructed to download and execute other,

independent executables. In some observed cases, these executables were self-extracting

archive files containing common hacking tools, such as PSExec and Mimikatz, combined with

script files that execute these tools. In other cases, CozyDuke has been observed downloading

and executing tools from other toolsets used by the Dukes such as OnionDuke, SeaDuke, and

HammerDuke.

EXAMPLES OF COZYDUKE PDB STRINGS

• E:\Visual Studio 2010\Projects\Agent_NextGen\Agent2011v3\Agent2011\Agent\tasks\bin\ GetPasswords\exe\GetPasswords.pdb

• D:\Projects\Agent2011\Agent2011\Agent\tasks\bin\systeminfo\exe\systeminfo.pdb

• \\192.168.56.101\true\soft\Agent\tasks\Screenshots\agent_screeshots\Release\agent_ screeshots.pdb

Further reading

1. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; https://www.f-secure. com/documents/996508/ 1030745/CozyDuke

2. Kurt Baumgartner, Costin Raiu; Securelist; The CozyDuke APT; 21 April 2015; https://securelist. com/blog/research/69731/the-cozyduke-apt/

COZYDUKE


Most recent known activity: Spring 2015

Other names CozyBear, CozyCar, Cozer, EuroAPT

C&C communication methods HTTP (S), Twitter (backup)

Known toolset components

◊ Dropper

◊ Modular backdoor


◊ Information gathering module

◊ Screenshot module

◊ Password stealing module

◊ Password hash stealing module

https://www.f-secure.com/documents/996508/1030745/CozyDuke


https://securelist.com/blog/research/69731/the-cozyduke-apt/

https://securelist.com/blog/research/69731/the-cozyduke-apt/


29

The OnionDuke toolset includes at least a dropper, a loader, an information stealer trojan and

multiple modular variants with associated modules.

OnionDuke first caught our attention because it was being spread via a malicious Tor exit node.

The Tor node would intercept any unencrypted executable files being downloaded and modify

those executables by adding a malicious wrapper contained an embedded OnionDuke. Once

the victim finished downloading the file and executed it, the wrapper would infect the victim’s

computer with OnionDuke before executing the original legitimate executable.

The same wrapper has also been used to wrap legitimate executable files, which were then

made available for users to download from torrent sites. Again, if a victim downloaded a torrent

containing a wrapped executable, they would get infected with OnionDuke.

Finally, we have also observed victims being infected with OnionDuke after they were already

infected with CozyDuke. In these cases, CozyDuke was instructed by its C&C server to download

and execute OnionDuke toolset.

Further reading

1. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; https://

www.f-secure.com/ weblog/archives/00002764.html

ONIONDUKE

First known activity February 2013

Most recent known activity Spring 2015

Other names N/A

C&C communication methods HTTP (S), Twitter (backup)


◊ Dropper

◊ Loader

◊ Multiple modular core components


◊ Distributed Denial of Service (DDoS)

module

◊ Password stealing module

◊ Information gathering module

◊ Social network spamming module

https://www.f-secure.com/weblog/archives/00002764.html



30

SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server,

such as uploading and downloading files, executing system commands and evaluating additional

Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to

be cross-platform so that it works on both Windows and Linux.

The only known infection vector for SeaDuke is via an existing CozyDuke infection, wherein

CozyDuke downloads and executes the SeaDuke toolset.

Like HammerDuke, SeaDuke appears to be used by the Dukes group primarily as a secondary

backdoor left on CozyDuke victims after that toolset has completed the initial infection and

stolen any readily available information from them.

EXAMPLE OF CROSS-PLATFORM SUPPORT FOUND IN SEADUKE'S SOURCE CODE

Further reading

1. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015;

http://www.symantec.com/connect/blogs/ forkmeiamfamous-seaduke-latest-weapon- duke-armory

2. Josh Grunzweig; Palo Alto Networks; Unit 42 Technical Analysis: Seaduke; published 14 July 2015;

http://researchcenter.paloaltonetworks. com/2015/07/unit-42-technical-analysis- seaduke/

3. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July

2015; https://www.f- secure.com/weblog/archives/00002822.html

SEADUKE

First known activity October 2014

Most recent known activity Spring 2015

Other names SeaDaddy, SeaDask


Known toolset components ◊ Backdoor

http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory

http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/



31

HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke.

Specifically, the only known infection vector for HammerDuke is to be downloaded and executed

by CozyDuke onto a victim that has already been compromised by that toolset. This, together

with HammerDuke’s simplistic backdoor functionality, suggests that it is primarily used by the

Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the

initial infection and stole any readily available information from them.

HammerDuke is however interesting because it is written in .NET, and even more so because

of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants

only contain a hardcoded C&C server address from which they will retrieve commands, but other

HammerDuke variants will first use a custom algorithm to generate a Twitter account name based

on the current date. If the account exists, HammerDuke will then search for tweets from that

account with links to image files that contain embedded commands for the toolset to execute.

HammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke toolsets. Both

OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names

and then searched for any tweets from those accounts that linked to image files. In contrast

however, for OnionDuke and MiniDuke the linked image files contain embedded malware to be

downloaded and executed, rather than instructions.

Similarly, GeminiDuke may also download image files, but these would contain embedded

additional configuration information for the toolset itself. Unlike HammerDuke however, the

URLs for the images downloaded by GeminiDuke are hardcoded in its initial configuration, rather

than retrieved from Twitter.

Further reading

1. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015;

https://www2.fireeye.com/rs/848-DID-242/ images/rpt-apt29-hammertoss.pdf *

*APT29 is the name used by FireEye to identify the cyberespionagegroup we refer to as the Dukes.

HAMMERDUKE



Other names HAMMERTOSS, Netduke

C&C communication methods HTTP (S), Twitter

Known toolset components ◊ Backdoor

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf


32

CloudDuke is a malware toolset known to consist of, at least, a downloader, a loader and two

backdoor variants. The CloudDuke downloader will download and execute additional malware

from a preconfigured location. Interestingly, that location may be either a web address or a

Microsoft OneDrive account.

Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke.

While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will

use a Microsoft OneDrive account to exchange commands and stolen data with its operators.

Further reading

1. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July

2015; https://www.f-secure. com/weblog/archives/00002822.html

2. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New

Ride Is Related to Seaduke; published 14 July 2015; http://researchcenter. paloaltonetworks.com/2015/07/tracking-

minidionis-cozycars-new-ride-is-related-to- seaduke/

3. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015;

https://securelist.com/blog/ research/71443/minidionis-one-more-apt-with- a-usage-of-cloud-drives/

CLOUDDUKE

First known activity June 2015


Other names MiniDionis, CloudLook

C&C communication methods HTTP (S), Microsoft OneDrive


◊ Downloader

◊ Loader

◊ Two backdoor variants


http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-relate

http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-relate

https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-a-usage-of-cloud-drives/


33

INFECTION VECTORS

The Dukes primarily use spear-phishing emails when attempting to infect victims with their

malware. These spear-phishing emails range from ones purposely designed to look like spam

messages used to spread common crimeware and addressed to large numbers of people, to

highly targeted emails addressed to only a few recipients (or even just one person) and with

content that is highly relevant for the intended recipient(s). In some cases, the Dukes appear to

have used previously compromised victims to send new spear-phishing emails to other targets.

The spear-phishing emails used by the Dukes may contain either specially-crafted malicious

attachments or links to URLs hosting the malware. When malicious attachments are used, they

may either be designed to exploit a vulnerability in a popular software assumed to be installed on

the victim’s machine, such as Microsoft Word or Adobe Reader, or the attachment itself may have

its icon and filename obfuscated in such a way that the file does not appear to be an executable.

The only instances which we are aware of where the Dukes did not use spear-phishing as the

initial infection vector is with certain OnionDuke variants. These were instead spread using either

a malicious Tor node that would trojanize legitimate applications on-the-fly with the OnionDuke

toolset, or via torrent files containing previously trojanized versions of legitimate applications.

Finally, it is worth noting that the Dukes are known to sometimes re-infect a victim of one of

their malware tools with another one of their tools. Examples include CozyDuke infecting its

victims with SeaDuke, HammerDuke,or OnionDuke; and CosmicDuke infecting its victims with

PinchDuke,GeminiDuke or MiniDuke.

DECOYS

The Dukes commonly employ decoys with their infection vectors. These decoys may be image

files, document files, Adobe Flash videos or similar that are presented to the victim during

the infection process in an attempt to distract them from the malicious activity. The contents

of these decoys range from non-targeted material such as videos of television commercials

showing monkeys at an office, to highly targeted documents with content directly relevant to the

intended recipient such as reports, invitations, or lists of participants to an event.

Usually, the contents of the decoys appear to be taken from public sources, either by copying

publicly accessible material such as a news report or by simply repurposing a legitimate file that

has been openly distributed. In some cases however, highly targeted decoys have been observed

using content that does not appear to be publicly available, suggesting that these contents may

have been stolen from other victims that had been infected by Duke toolsets.


34

EXPLOITATION OF VULNERABILITIES

The Dukes have employed exploits both in their infection vectors as well as in their malware. We

are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke

- where we believe the exploited vulnerability was a zero-day at the time that the group acquired

the exploit. In all known cases where exploits were employed, we believe the Dukes did not

themselves discover the vulnerabilities or design the original exploits; for the exploited zero-day,

we believe the Dukes purchased the exploit. In all other cases, we believe the group simply

repurposed publicly available exploits or proofs of concept.

ATTRIBUTION AND STATE-SPONSORSHIP

Attribution is always a difficult question, but attempting to answer it is important in understanding

these types of threats and how to defend against them. This paper has already stated that we

believe the Dukes to be a Russian state-sponsored cyberespionage operation. To reach this

conclusion, we began by analyzing the apparent objectives and motivations of the group.

Based on what we currently know about the targets chosen by the Dukes over the past 7 years,

they appear to have consistently targeted entities that deal with foreign policy and security policy

matters. These targets have included organizations such as ministries of foreign affairs, embassies,

senates, parliaments, ministries of defense, defense contractors, and think tanks.

In one of their more intriguing cases, the Dukes have appeared to also target entities involved

in the trafficking of illegal drugs. Even such targets however appear to be consistent with the

overarching theme, given the drug trade’s relevance to security policy. Based on this, we are

confident in our conclusion that the Dukes’ primary mission is the collection of intelligence to

support foreign and security policy decision-making.

This naturally leads to the question of state-sponsorship. Based on our establishment of the

group’s primary mission, we believe the main benefactor (or benefactors) of their work is a

government. But are the Dukes a team or a department inside a government agency? An external

contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We

don’t know.

Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in

the operation and the fact that their activity only appears to be increasing, we believe the group

to have significant and most critically, stable financial backing. The Dukes have consistently

operated large-scale campaigns against high-profile targets while concurrently engaging in

smaller, more targeted campaigns with apparent coordination and no evidence of unintentional

overlap or operational clashes. We therefore believe the Dukes to be a single, large, well-

coordinated organization with clear separation of responsibilities and targets.


35

The Dukes appear to prioritize the continuation of their operations over stealth. Their 2015

CozyDuke and CloudDuke campaigns take this to the extreme by apparently opting for speed and

quantity over stealth and quality. In the most extreme case, the Dukes continued with their July

2015 CloudDuke campaign even after their activity had been outed by multiple security vendors.

We therefore believe the Dukes’ primary mission to be so valuable to their benefactors that its

continuation outweighs everything else.

This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes

is so powerful and so tightly connected to the group that the Dukes are able to operate with

no apparent fear of repercussions on getting caught. We believe the only benefactor with the

power to offer such comprehensive protection would be the government of the nation from

which the group operates. We therefore believe the Dukes to work either within or directly for a

government, thus ruling out the possibility of a criminal gang or another third party.

This leaves us with the final question: which country? We are unable to conclusively prove

responsibility of any specific country for the Dukes. All of the available evidence however does in

our opinion suggest that the group operates on behalf of the Russian Federation. Further, we are

currently unaware of any evidence disproving this theory.

Kaspersky Labs has previously noted the presence of Russian-language artefacts in some of

the Duke malware samples [9]. We have also found a Russian-language error message in many

PinchDuke samples: “Ошибка названия модуля! Название секции данных должно быть 4 байта!” This roughly translates as, “There is an error in the module’s name! The length

of the data section name must be 4 bytes!”

Additionally, Kaspersky noted that based on the compilation timestamps, the authors of the Duke

malware appear to primarily work from Monday to Friday between the times of 6am and 4pm

UTC+0 [11]. This corresponds to working hours between 9am and 7pm in the UTC+3 time zone,

also known as Moscow Standard Time, which covers, among others, much of western Russia,

including Moscow and St. Petersburg.

The Kaspersky Labs analysis of the Duke malware authors’ working times is supported by our own

analysis, as well as that performed by FireEye [22]. This assertion of time zone is also supported by

timestamps found in many GeminiDuke samples, which similarly suggest the group work in the

Moscow Standard Time timezone, as further detailed in the section on the technical analysis of

GeminiDuke (page 23).

Finally, the known targets of the Dukes - Eastern European foreign ministries, western think tanks

and governmental organizations, even Russian-speaking drug dealers - conform to publicly-

known Russian foreign policy and security policy interests. Even though the Dukes appear to

have targeted governments all over the world, we are unaware of them ever targeting the Russian

government. While absence of evidence is not evidence of absence, it is an interesting detail to

note.


36

Based on the presented evidence and analysis, we believe, with a high level of confidence, that

the Duke toolsets are the product of a single, large, well-resourced organization (which we

identify as the Dukes) that provides the Russian government with intelligence on foreign and

security policy matters in exchange for support and protection.


37

BIBLIOGRAPHY

1. The White House; Remarks By President Barack Obama In Prague As Delivered; published 5 April 2009; [Online].

Available: https://www.whitehouse.gov/the-press-office/remarks-president-barack-obama-prague-delivered

2. Wikipedia; KavKaz Center; [Online]. Available: https://en.wikipedia.org/wiki/Kavkaz_Center

3. BBC: Nato exercises ‘a dangerous move’; published 17 April 2009; [Online]. Available: http://news.bbc.co.uk/2/hi/

europe/8004399.stm

4. Tavis Ormandy; Seclists.org; Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack; published 19

January 2010; [Online]. Available: http://seclists.org/fulldisclosure/2010/Jan/341

5. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; [Online]. Available:


6. Yichong Lin, James T. Bennett, Thoufique Haq; FireEye Threat Research blog; In Turn, It’s PDF Time; published 12

February 2013; [Online]. Available: https://www.fireeye.com/blog/threat-research/2013/02/in-turn-its-pdf- time.html

7. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day

Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; [Online]. Available: http://

kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0- dayassemblermicrobackdoor.

pdf

8. Laboratory of Cryptography and System Security (CrySyS Lab); Miniduke: Indicators; published 27 February 2013;

[Online]. Available: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf

9. Mikko Hypponen; F-Secure Weblog; Targeted Attacks and Ukraine; published 1 April 2014; [Online]. Available: https://

www.f-secure.com/weblog/archives/00002688.html

10. Feike Hacquebord; Trend Micro; Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets;

published 18 August 2015; [Online]. Available: http://blog.trendmicro.com/trendlabs-security- intelligence/pawn-

storms-domestic-spying-campaign-revealed-ukraine-and-us-top-global-targets/

11. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; [Online]. Available:

https://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen- studio/

12. Boost C++ Libraries; Version 1.54.0; published 1 July 2013; [Online]. Available: http://www.boost.org/users/ history/

version_1_54_0.html

13. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; [Online].

Available: https://www.f-secure.com/weblog/archives/00002764.html

14. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; [Online]. Available: https://www.f-secure.com/

documents/996508/ 1030745/CozyDuke

15. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015;

[Online]. Available: http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest- weapon-duke-

armory

16. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New Ride Is

Related to Seaduke; published 14 July 2015; [Online]. Available: http://researchcenter.paloaltonetworks. com/2015/07/

tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/

17. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015; [Online].

Available: https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-a-usage-of-cloud- drives/

18. malware@prevenity; Malware w 5 rocznicę katastrofy samolotu; published 22 April 2015; [Online]. Available: http://

malware.prevenity.com/2015/04/malware-w-5-rocznice-katastrofy-samolotu.html (in Polish)19. malware@prevenity; Wykradanie danych z instytucji publicznych; published 11 August 2015; [Online]. Available: http://

malware.prevenity.com/2015/08/wykradanie-danych-z-instytucji.html (in Polish)20. Wikipedia; Moscow Time; [Online]. Available: https://en.wikipedia.org/wiki/Moscow_Time

21. Exploit Database; CVE: 2010-4398; published 24 November 2014; [Online]. Available: https://www.exploit-db.com/

exploits/15609/

22. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015; [Online]. Available:

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf *

23. tz_world, an efele.net/tz map; Eric Muller; tz_russia, an efele.net/tz map: A shapefile of the TZ timezones of Russia;

published 2 May 2013; [Online]. Available: http://efele.net/maps/tz/russia/

https://www.whitehouse.gov/the-press-office/remarks-president-barack-obama-prague-delivered

https://en.wikipedia.org/wiki/Kavkaz_Center

http://news.bbc.co.uk/2/hi/europe/8004399.stm

http://news.bbc.co.uk/2/hi/europe/8004399.stm

http://seclists.org/fulldisclosure/2010/Jan/34


https://www.fireeye.com/blog/threat-research/2013/02/in-turn-its-pdf-time.html

http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0-dayassemblerm



http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf



http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storms-domestic-spying-campaign-rev

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storms-domestic-spying-campaign-rev

https://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/

http://www.boost.org/users/history/version_1_54_0.html

http://www.boost.org/users/history/version_1_54_0.html






http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related

http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related

https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-a-usage-of-cloud-drives/

http://malware.prevenity.com/2015/04/malware-w-5-rocznice-katastrofy-samolotu.html

http://malware.prevenity.com/2015/04/malware-w-5-rocznice-katastrofy-samolotu.html

http://malware.prevenity.com/2015/08/wykradanie-danych-z-instytucji.html

http://malware.prevenity.com/2015/08/wykradanie-danych-z-instytucji.html

https://en.wikipedia.org/wiki/Moscow_Time

https://www.exploit-db.com/exploits/15609/

https://www.exploit-db.com/exploits/15609/

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

http://efele.net/maps/tz/russia/


38

PinchDuke

Campaign identifiers

• alkavkaz.com20081105

• cihaderi.net20081112

• 20090111

• diploturk_20090305_faruk

• 20090310I

• mofa.go.ug_20090317

• plcz_20090417

• 20090421_NN1

• 20090427_n_8

• 20090513_Cr

• natoinfo_ge

• 20090608_G

• mod_ge_2009_07_03

• 20090909_Bel

• mofa-go-ug-2009-09-09

• 20091008_Af

• nat_20092311

• turtsia_20091128

• mfagovtr_20091204

• modge_20100126

• GEN20100215

• par_ge_20100225

• pr_ge_20100225

• tika_20100326

• harpa_20100329

• sanat_20100412

• mfakg_20100413

• leskz_20100414

• leskg_20100422

• az_emb_uz_20100518

• sat_20100524

• emb_azerb_uz_20100609

• sat_2010_07_26

• kaz_2010_07_30

Malware SHA1 hashes

• 07b4e44b6b3e1c3904ded7d6c9dcf7fa609467ef

• 0cf68d706c38ab112e0b667498c24626aec730f6

• 155004c1cc831a7f39caf2bec04f1841b61af802

• 17df96e423320ddfb7664413bf562a6b1aaef9d4

• 1c124e1523fcbef25c4f3074b1f8088bcad2230f

• 285ac0fb341e57c87964282f621b3d1f018ab7ea

• 2f156a9f861cda356c4ddf332d71937ac9962c68

• 333f5acc35ea0206f7d1deadcb94ca6ec9564d02

• 34af1909ec77d2c3878724234b9b1e3141c91409

• 383fc3c218b9fb0d4224d69af66caf09869b4c73

• 45ee9aa9f8ef3a9cc0b4b250766e7a9368a30934

• 52164782fc9f8a2a6c4be2b9cd000e4a60a860ed

• 7371eecafbaeefd0dc5f4dd5737f745586133f59

• 797b3101b9352be812b8d411179ae765e14065a6

• a10f2dc5dbdbf1a11ebe4c3e59a4c0e5d14bcc8a

• a3dfb5643c824ae0c3ba2b7f3efb266bfbf46b02

• ad2cac618ab9d9d4a16a2db32410607bbf98ce8f

• bf48d8126e84185e7825b69951293271031cbad4

• c1e229219e84203ba9e26f2917bd268656ff4716

• c59114c79e3d3ddd77d6919b88bc99d40205e645

• c8ae844baea44ec1db172ae9b257dbac04dcbbe7

• d5905327f213a69f314e2503c68ef5b51c2d381e

• e7720ab728cb18ea329c7dd7c9b7408e266c986b

• fdc65f38f458ceddf5a5e3f4b44df7337a1fb415

• fdfd9abbaafe0bee747c0f1d7963d903174359df

Exploit file SHA1 hashes

• 50f8ea7eb685656c02a83420b3910d14ac588c8b

• 9fae684a130c052ad2b55ebaf7f6e513c0e62abe

APPENDIX I: DATA LISTINGS


39

GeminiDuke

Malware SHA1 hashes

• 3ed561786ca07c8e9862f4f682c1828a039d6dd4

• 6b0b8ad038c7ae2efbad066b8ba22de859b81f98

• a3653091334892cf97a55715c7555c8881230bc4

• b14b9241197c667f00f86d096d71c47d6fa9aca6

• c011552d61ac5a87d95e43b90f2bf13077856def

CosmicDuke

Malware SHA1 hashes

• 01e5080b832c6e4fcb7b9d06caffe03dab8d95da

• 02f55947402689ec755356ab6b0345a592446da7

• 03c5690728b7dffb2f4ab947fe390264751428aa

• 0653a8f06b140f4fac44acb3be723d7bb2602558

• 0bc8485ce6c24bb888e2329d479c9b7303bb98b4

• 0c8db6542172de98fa16c9bacfef9ed4099fd872

• 0d8f41fe09dbd75ab953f9e64a6cdbbbc198bf2b

• 0e5f55676e01d8e41d77cdc43489da8381b68086

• 0ff7ce34841c03c876b141c1f46d0ff2519889cc

• 11b5cfb37efb45d2c721cbf20cab7c1f5c1aa44b

• 151362502d569b16453e84a2f5d277d8e4e878c2

• 174373ab44cf6e7355f9dbb8469453519cb61a44

• 18d983ba09da695ce704ab8093296366b543996a

• 1a31245e943b131d81375d70b489d8e4bf3d6dce

• 1ce049522c4df595a1c4c9e9ca24be72dc5c6b28

• 1df78a1dc0aa3382fcc6fac172b70aafd0ed8d3d

• 1e5c6d3f64295cb36d364f7fa183177a3f5e6b7e

• 2345cd5c112e55ba631dac539c8efab850c536b2

• 2b1e7d54723cf9ee2fd133b8f17fa99470d7a51a

• 322e042cf1cb43a8072c4a4cbf6e37004a88d6f7

• 332aac7bdb0f697fd96e35c31c54d15e548061f4

• 365f61c7886ca82bfdf8ee19ce0f92c4f7d0901e

• 3980f0e3fe80b2e7378325ab64ecbe725ae5eca9

• 3f4a5bf72a15b7a8638655b24eb3359e229b9aea

• 42dbfbedd813e6dbea1398323f085a88fa014293

• 4a9875f646c5410f8317191ef2a91f934ce76f57

• 4aaac99607013b21863728b9453e4ffee67b902e

• 4e3c9d7eb8302739e6931a3b5b605efe8f211e51

• 4fbc518df60df395ea27224cb85c4da2ff327e98

• 4fd46c30fb1b6f5431c12a38430d684ed1ff5a75

• 524aaf596dc12b1bb479cd69c620914fd4c3f9c9

• 541816260c71535cfebc743b9e2770a3a601acdf

• 558f1d400be521f8286b6a51f56d362d64278132

• 55f83ff166ab8978d6ce38e80fde858cf29e660b

• 580eca9e36dcd1a2deb9075bcae90afee46aace2

• 5a199a75411047903b7ba7851bf705ec545f6da9

• 5c5ec0b5112a74a95edc23ef093792eb3698320e

• 63aedcd38fe947404dda4fbaddb1da539d632417

• 6483ed51bd244c7b2cf97db62602b19c27fa3059

• 658db78c0ce62e08e86b51988a222b5fb5fbb913

• 6a43ada6a3741892b56b0ef38cdf48df1ace236d

• 6b7a4ccd5a411c03e3f1e86f86b273965991eb85

• 6db1151eeb4339fc72d6d094e2d6c2572de89470

• 7631f1db92e61504596790057ce674ee90570755

• 764add69922342b8c4200d64652fbee1376adf1c

• 7803f160af428bcfb4b9ea2aba07886f232cde4e

• 78d1c1e11ebae22849bccb3eb154ec986d992364

• 7ad1bef0ba61dbed98d76d4207676d08c893fc13

• 807c3db7385972a78b6d217a379dab67e68a3cf5

• 88b7ead7c0bf8b3d8a54b4a9c8871f44d1577ce7

• 8a2227cafa5713297313844344d6b6d9e0885093

• 8aa9f5d426428ec360229f4cb9f722388f0e535c

• 8ab7f806fa18dd9a9c2dc43db0ad3ee79060b6e8

• 8f4138e9588ef329b5cf5bc945dee4ad9fec1dff

• 9090de286ce9126e8e9c1c3a175a70ab4656ca09

• 91fd13a6b44e99f7235697ab5fe520d540279741

• 926046f0c727358d1a6fbdd6ff3e28bc67d5e2f6

• 9700c8a41a929449cfba6567a648e9c5e4a14e70

• 97c62e04b0ce401bd338224cdd58f5943f47c8de

• a2ed0eaaeadaa90d25f8b1da23033593bb76598e

• a421e0758f1007527fec4d72fa2668da340554c9

• a74eceea45207a6b46f461d436b73314b2065756

• a7819c06746ae8d1e5d5111b1ca711db0c8d923e

• a81b58b2171c6a728039dc493faaf2cab7d146a5

• b2a951c5b2613abdb9174678f43a579592b0abc9

• b54b3c67f1827dab4cc2b3de94ff0af4e5db3d4c

• b579845c223331fea9dfd674517fa4633082970e

• bbe24aa5e554002f8fd092fc5af7747931307a15

• c2b5aff3435a7241637f288fedef722541c4dad8

• c637a9c3fb08879e0f54230bd8dca81deb6e1bcf

• cbca642acdb9f6df1b3efef0af8e675e32bd71d1

• ccb29875222527af4e58b9dd8994c3c7ef617fd8

• cd7116fc6a5fa170690590e161c7589d502bd6a7

• d303a6ddd63ce993a8432f4daab5132732748843

• e60d36efd6b307bef4f18e31e7932a711106cd44

• e841ca216ce4ee9e967ffff9b059d31ccbf126bd

• ecd2feb0afd5614d7575598c63d9b0146a67ecaa

• ed14da9b9075bd3281967033c90886fd7d4f14e5

• ed328e83cda3cdf75ff68372d69bcbacfe2c9c5e

• f621ec1b363e13dd60474fcfab374b8570ede4de

• fbf290f6adad79ae9628ec6d5703e5ffb86cf8f1

fecdba1d903a51499a3953b4df1d850fbd5438bd

Exploit file SHA1 hashes

• 1e770f2a17664e7d7687c53860b1c0dc0da7157e

• 353540c6619f2bba2351babad736599811d3392e

• 412d488e88deef81225d15959f48479fc8d387b3

• 5295b09592d5a651ca3f748f0e6401bd48fe7bda

• 65681390d203871e9c21c68075dbf38944e782e8

• 74bc93107b1bbae2d98fca6d819c2f0bbe8c9f8a

• 8949c1d82dda5c2ead0a73b532c4b2e1fbb58a0e

• c671786abd87d214a28d136b6bafd4e33ee66951

• f1f1ace3906080cef52ca4948185b665d1d7b13e


40

MiniDuke

Malware SHA1 hashes

• 00852745cb40730dc333124549a768b471dff4bc

• 03661a5e2352a797233c23883b25bb652f03f205

• 045867051a6052d1d910abfcb24a7674bcc046ca

• 0d78d1690d2db2ee322ca11b82d79c758a901ebc

• 0e263d80c46d5a538115f71e077a6175168abc5c

• 103c37f6276059a5ff47117b7f638013ccffe407

• 118114446847ead7a2fe87ecb4943fdbdd2bbd1e

• 15c75472f160f082f6905d57a98de94c026e2c56

• 1ba5bcd62abcbff517a4adb2609f721dd7f609df

• 1e6b9414fce4277207aab2aa12e4f0842a23f9c1

• 223c7eb7b9dde08ee028bba6552409ee144db54a

• 28a43eac3be1b96c68a1e7463ae91367434a2ac4

• 296fd4c5b4bf8ea288f45b4801512d7dec7c497b

• 2a13ae3806de8e2c7adba6465c4b2a7bb347f0f5

• 2ceae0f5f3efe366ebded0a413e5ea264fbf2a33

• 2d74a4efaecd0d23afcad02118e00c08e17996ed

• 30b377e7dc2418607d8cf5d01ae1f925eab2f037

• 31ab6830f4e39c2c520ae55d4c4bffe0b347c947

• 36b969c1b3c46953077e4aabb75be8cc6aa6a327

• 416d1035168b99cc8ba7227d4c7c3c6bc1ce169a

• 43fa0d5a30b4cd72bb7e156c00c1611bb4f4bd0a

• 493d0660c9cf738be08209bfd56351d4cf075877

• 4b4841ca3f05879ca0dab0659b07fc93a780f9f1

• 4ec769c15a9e318d41fd4a1997ec13c029976fc2

• 53140342b8fe2dd7661fce0d0e88d909f55099db

• 5acaea49540635670036dc626503431b5a783b56

• 5b2c4da743798bde4158848a8a44094703e842cb

• 634a1649995309b9c7d163af627f7e39f42d5968

• 683104d28bd5c52c53d2e6c710a7bd19676c28b8

• 694fa03160d50865dce0c35227dc97ffa1acfa48

• 73366c1eb26b92886531586728be4975d56f7ca5

• 827de388e0feabd92fe7bd433138aa35142bd01a

• 909d369c42125e84e0650f7e1183abe740486f58

• 9796d22994ff4b4e838079d2e5613e7ac425dd1d

• a32817e9ff07bc69974221d9b7a9b980fa80b677

• a4e39298866b72e5399d5177f717c46861d8d3df

• a6c18fcbe6b25c370e1305d523b5de662172875b

• a9e529c7b04a99019dd31c3c0d7f576e1bbd0970

• ad9734b05973a0a0f1d34a32cd1936e66898c034

• b27f6174173e71dc154413a525baddf3d6dea1fd

• b8b116d11909a05428b7cb6dcce06113f4cc9e58

• c17ad20e3790ba674e3fe6f01b9c10270bf0f0e4

• c39d0b12bb1c25cf46a5ae6b197a59f8ea90caa0

• c6d3dac500de2f46e56611c13c589e037e4ca5e0

• cb3a83fc24c7b6b0b9d438fbf053276cceaacd2e

• cc3df7de75db8be4a0a30ede21f226122d2dfe87

• cd50170a70b9cc767aa4b21a150c136cb25fbd44

• cdcfac3e9d60aae54586b30fa5b99f180839deed

• d22d80da6f042c4da3392a69c713ee4d64be8bc8

• d81b0705d26390eb82188c03644786dd6f1a2a9e

• de8e9def2553f4d211cc0b34a3972d9814f156aa

• e4add0b118113b2627143c7ef1d5b1327de395f1

• e95e2c166be39a4d9cd671531b376b1a8ceb4a55

• edf74413a6e2763147184b5e1b8732537a854365

• efcb9be7bf162980187237bcb50f4da2d55430c2

• f62600984c5086f2da3d70bc1f5042cf464f928d

CozyDuke

Malware SHA1 hashes

• 01d3973e1bb46e2b75034736991c567862a11263

• 04aefbf1527536159d72d20dea907cbd080793e3

• 0e020c03fffabc6d20eca67f559c46b4939bb4f4

• 1e5f6a5624a9e5472d547b8aa54c6d146813f91d

• 207be5648c0a2e48be98dc4dc1d5d16944189219

• 23e20c523b9970686d913360d438c88e6067c157

• 25b6c73124f11f70474f2687ad1de407343ac025

• 32b0c8c46f8baaba0159967c5602f58dd73ebde9

• 446daabb7ac2b9f11dc1267fbd192628cc2bac19

• 482d1624f9450ca1c99926ceec2606260e7ce544

• 49fb759d133eeaab3fcc78cec64418e44ed649ab

• 5150174a4d5e5bb0bccc568e82dbb86406487510

• 543783df44459a3878ad00ecae47ff077f5efd7b

• 6b0721a9ced806076f84e828d9c65504a77d106c

• 6e00b86a2480abc6dbd971c0bf6495d81ed1b629

• 78e9960cc5819583fb98fb619b33bff7768ee861

• 7e9eb570ef07b793828c28ca3f84177e1ab76e14

• 8099a40b9ef478ee50c466eb65fe71b247fcf014

• 87668d14910c1e1bb8bbea0c6363f76e664dcd09

• 8b357ff017df3ed882b278d0dbbdf129235d123d

• 8c3ed0bbdc77aec299c77f666c21659840f5ce23

• 93d53be2c3e7961bc01e0bfa5065a2390305268c

• 93ee1c714fad9cc1bf2cba19f3de9d1e83c665e2

• 9b56155b82f14000f0ec027f29ff20e6ae5205c2

• b65aa8590a1bac52a85dbd1ea091fc586f6ab00a

• bdd2bae83c3bab9ba0c199492fe57e70c6425dd3

• bf265227f9a8e22ea1c0035ac4d2449ceed43e2b

• bf9d3a45273608caf90084c1157de2074322a230

• c3d8a548fa0525e1e55aa592e14303fc6964d28d

• c6472898e9085e563cd56baeb6b6e21928c5486d

• ccf83cd713e0f078697f9e842a06d624f8b9757e

• dea73f04e52917dc71cc4e9d7592b6317e09a054

• e0779ac6e5cc76e91fca71efeade2a5d7f099c80

• e76da232ec020d133530fdd52ffcc38b7c1d7662

• e78870f3807a89684085d605dcd57a06e7327125

• e99a03ebe3462d2399f1b819f48384f6714dcba1

• ea0cfe60a7b7168c42c0e86e15feb5b0c9674029

• eb851adfada7b40fc4f6c0ae348694500f878493

• f2ffc4e1d5faec0b7c03a233524bb78e44f0e50b

• f33c980d4b6aaab1dc401226ab452ce840ad4f40

• f7d47c38eca7ec68aa478c06b1ba983d9bf02e15


41

OnionDuke

Malware SHA1 hashes

• 073faad9c18dbe0e0285b2747eae0c629e56830c

• 145c5081037fad98fa72aa4d6dc6c193fdb1c127

• 16b632b4076a458b6e2087d64a42764d86b5b021

• 1e200fbb02dc4a51ea3ede0b6d1ff9004f07fe73

• 22bae6be13561cec758d25fa7adac89e67a1f33a

• 25e0af331b8e9fed64dc0df71a2687be348100e8

• 3bf6b0d49b8e594f8b59eec98942e1380e16dd22

• 42429d0c0cade08cfe4f72dcd77892b883e8a4bc

• 5ccff14ce7c1732fadfe74af95a912093007357f

• 61283ef203f4286f1d366a57e077b0a581be1659

• 6b3b42f584b6dc1e0a7b0e0c389f1fbe040968aa

• 6b631396013ddfd8c946772d3cd4919495298d40

• 7b3652f8d51bf74174e1e5364dbbf901a2ebcba1

• 7d17917cb8bc00b022a86bb7bab59e28c3453126

• 7d871a2d467474178893cd017e4e3e04e589c9a0

• 7efd300efed0a42c7d1f568e309c45b2b641f5c2

• 91cb047f28a15b558a9a4dff26df642b9001f8d7

• 9a277a63e41d32d9af3eddea1710056be0d42347

• a75995f94854dea8799650a2f4a97980b71199d2

• b3873d2c969d224b0fd17b5f886ea253ac1bfb5b

• b491c14d8cfb48636f6095b7b16555e9a575d57f

• c1ec762878a0eed8ebf47e122e87c79a5e3f7b44

• cce5b3a2965c500de8fa75e1429b8be5aa744e14

• d433f281cf56015941a1c2cb87066ca62ea1db37

• e09f283ade693ff89864f6ec9c2354091fbd186e

• e519198de4cc8bcb0644aa1ab6552b1d15c99a0e

• f2b4b1605360d7f4e0c47932e555b36707f287be

• f3dcbc016393497f681e12628ad9411c27e57d48

SeaDuke

Malware SHA1 hashes

• 3459d9c27c31c0e8b2ea5b21fdc200e784c7edf4

• aa7cf4f1269fa7bca784a18e5cecab962b901cc2

• bb71254fbd41855e8e70f05231ce77fee6f00388

HammerDuke

Malware SHA1 hashes

• 42e6da9a08802b5ce5d1f754d4567665637b47bc

CloudDuke

Malware SHA1 hashes

• 04299c0b549d4a46154e0a754dda2bc9e43dff76

• 10b31a17449705be20890ddd8ad97a2feb093674

• 2e27c59f0cf0dbf81466cc63d87d421b33843e87

• 2f53bfcd2016d506674d0a05852318f9e8188ee1

• 317bde14307d8777d613280546f47dd0ce54f95b

• 44403a3e51e337c1372b0becdab74313125452c7

• 47f26990d063c947debbde0e10bd267fb0f32719

• 4800d67ea326e6d037198abd3d95f4ed59449313

• 52d44e936388b77a0afdb21b099cf83ed6cbaa6f

• 6a3c2ad9919ad09ef6cdffc80940286814a0aa2c

• 7b8851f98f765038f275489c69a485e1bed4f82d

• 84ba6b6a0a3999c0932f35298948f149ee05bc02

• 910dfe45905b63c12c6f93193f5dc08f5b012bc3

• 9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f

• bfe26837da22f21451f0416aa9d241f98ff1c0f8

• c16529dbc2987be3ac628b9b413106e5749999ed

• cc15924d37e36060faa405e5fa8f6ca15a3cace2

• d7f7aef824265136ad077ae4f874d265ae45a6b0

• dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8

• ed0cf362c0a9de96ce49c841aa55997b4777b326

• f54f4e46f5f933a96650ca5123a4c41e115a9f61

• f97c5e8d018207b1d546501fe2036adfbf774cfd

• fe33b9f95db53c0096ae9fb9672f9c7c32d22acf


42

Related IP addresses

• 128.199.138.233

• 151.236.23.31

• 173.236.70.212

• 176.74.216.14

• 178.21.172.157

• 178.63.149.142

• 184.154.184.83

• 188.116.32.164

• 188.241.115.41

• 188.40.13.99

• 195.43.94.104

• 199.231.188.109

• 212.76.128.149

• 46.246.120.178

• 46.246.120.178

• 5.45.66.134

• 50.7.192.146

• 64.18.143.66

• 66.29.115.55

• 69.59.28.57

• 82.146.47.163

• 82.146.51.22

• 83.149.74.73

• 85.17.143.149

• 87.118.106.55

• 87.255.77.36

• 88.150.208.207

• 91.221.66.242

• 91.224.141.235

• 94.242.199.88

• 96.9.182.37

Related domain names

• airtravelabroad.com

• beijingnewsblog.net

• deervalleyassociation.com

• greencastleadvantage.com

• grouptumbler.com

• juliet.usexy.cc

• leveldelta.com

• nasdaqblog.net

• natureinhome.com

• nestedmail.com

• nostressjob.com

• nytunion.com

• oilnewsblog.com

• overpict.com

• serials.hacked.jp

• sixsquare.net

• store.extremesportsevents.net

• ustradecomp.com Note: the listed IP addresses and domain names are provided for research purposes. While all of them have been associated with the Dukes at some point in time, they may or may not be currently in use by the Dukes.

F-Secure detection names

• Backdoor:W32/MiniDuke.A

• Trojan-Dropper:W32/MiniDuke.B

• Exploit:W32/MiniDuke.C

• Trojan-Dropper:W32/MiniDuke.D

• Backdoor:W32/MiniDuke.E

• Backdoor:W32/MiniDuke.F

• Backdoor:W32/MiniDuke.F

• Backdoor:W32/MiniDuke.H

• Backdoor:W32/MiniDuke.I

• Backdoor:W32/MiniDuke.J

• Trojan-Dropper:W32/CosmicDuke.A

• Trojan-PSW:W32/CosmicDuke.B

• Trojan:W32/CosmicDuke.C

• Exploit:W32/CosmicDuke.D

• Exploit:SWF/CosmicDuke.E

• Trojan-PSW:W32/CosmicDuke.F

• Trojan-Dropper:W32/CosmicDuke.G

• Trojan:W32/CosmicDuke.H

• Trojan:W32/CosmicDuke.I66.29.115.55

• Backdoor:W32/OnionDuke.A

• Trojan-Dropper:W32/OnionDuke.A

• Backdoor:W32/OnionDuke.B

• Trojan:W32/OnionDuke.C

• Trojan:W32/OnionDuke.D

• Trojan-PSW:W32/OnionDuke.E

• Trojan:W32/OnionDuke.F

• Trojan:W32/OnionDuke.G

• Trojan:W32/CozyDuke.A

• Trojan:W32/CozyDuke.B

• Trojan-Dropper:W32/CozyDuke.C

• Trojan:W32/CozyDuke.D

• Trojan:W64/CozyDuke.E

• Trojan-Downloader:W32/CloudDuke.A

• Trojan:W32/CloudDuke.B

• Trojan:W64/CloudDuke.B

• Backdoor:W32/SeaDuke.A

Note: F-Secure also detects various Duke malware components with other detections not specific to the Dukes.

ABOUT F-SECURE

Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response,

utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running

our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our

commitment to beating the world’s most potent threats.

Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need. Founded in

1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

f-secure.com/business | twitter.com/fsecure | linkedin.com/f-secure

https://www.f-secure.com/en/business

http://twitter.com/fsecure

https://www.linkedin.com/company/f-secure-corporation/

THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3...

Documents

Transcript of THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3...